rpms/selinux-policy/F-12 modules-minimum.conf, 1.41, 1.42 modules-targeted.conf, 1.150, 1.151 policy-F12.patch, 1.116, 1.117 selinux-policy.spec, 1.949, 1.950
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Oct 23 14:40:40 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31993
Modified Files:
modules-minimum.conf modules-targeted.conf policy-F12.patch
selinux-policy.spec
Log Message:
* Fri Oct 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-33
- Allow firefox to transition to java
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-minimum.conf,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -p -r1.41 -r1.42
--- modules-minimum.conf 21 Oct 2009 15:55:49 -0000 1.41
+++ modules-minimum.conf 23 Oct 2009 14:40:38 -0000 1.42
@@ -1682,6 +1682,13 @@ timidity = off
tftp = module
# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: services
# Module: uucp
#
# Unix to Unix Copy
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-targeted.conf,v
retrieving revision 1.150
retrieving revision 1.151
diff -u -p -r1.150 -r1.151
--- modules-targeted.conf 21 Oct 2009 15:55:49 -0000 1.150
+++ modules-targeted.conf 23 Oct 2009 14:40:38 -0000 1.151
@@ -1682,6 +1682,13 @@ timidity = off
tftp = module
# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: services
# Module: uucp
#
# Unix to Unix Copy
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 +++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 2
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 18
policy/modules/admin/rpm.if | 324 ++++++
policy/modules/admin/rpm.te | 95 +
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 5
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 34
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 2
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 85 +
policy/modules/apps/chrome.te | 61 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 31
policy/modules/apps/execmem.if | 76 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 +
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 18
policy/modules/apps/java.if | 114 ++
policy/modules/apps/java.te | 19
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50
policy/modules/apps/livecd.te | 26
policy/modules/apps/loadkeys.te | 4
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 32
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 ++++++
policy/modules/apps/nsplugin.te | 295 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 11
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 +++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 57 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 184 +++
policy/modules/apps/sandbox.te | 330 ++++++
policy/modules/apps/screen.if | 7
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 31
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 36
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 255 +++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 151 ++
policy/modules/kernel/domain.te | 88 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 324 ++++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 211 ++++
policy/modules/kernel/filesystem.te | 9
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 638 ++++++++++++
policy/modules/roles/unconfineduser.te | 425 ++++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 37
policy/modules/services/abrt.fc | 2
policy/modules/services/abrt.if | 58 +
policy/modules/services/abrt.te | 26
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 41
policy/modules/services/apache.if | 410 +++++---
policy/modules/services/apache.te | 445 +++++++-
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 9
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 ++
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 24
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 20
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 72 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 42
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 58 +
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 22
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60 +
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 +++
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 48
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 1
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 21
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 3
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 10
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 16
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 72 -
policy/modules/services/networkmanager.fc | 14
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 115 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 17
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 15
policy/modules/services/nut.if | 82 +
policy/modules/services/nut.te | 140 ++
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 +++++
policy/modules/services/plymouth.te | 96 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 64 -
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 142 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 1
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 83 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 ++++++
policy/modules/services/rhcs.te | 394 +++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 16
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 123 ++
policy/modules/services/setroubleshoot.te | 81 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 137 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 184 ++-
policy/modules/services/ssh.te | 77 -
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 12
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tuned.fc | 6
policy/modules/services/tuned.if | 136 ++
policy/modules/services/tuned.te | 59 +
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 12
policy/modules/services/virt.if | 165 +++
policy/modules/services/virt.te | 286 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 37
policy/modules/services/xserver.if | 588 ++++++++++-
policy/modules/services/xserver.te | 336 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 207 +++-
policy/modules/system/authlogin.te | 10
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 158 ++-
policy/modules/system/init.te | 285 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 58 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 +
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 160 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 29
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 60 +
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 46
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 76 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 ++++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 77 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 39
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1517 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 47
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
372 files changed, 18201 insertions(+), 2748 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -p -r1.116 -r1.117
--- policy-F12.patch 22 Oct 2009 19:59:10 -0000 1.116
+++ policy-F12.patch 23 Oct 2009 14:40:38 -0000 1.117
@@ -641,7 +641,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-21 09:33:05.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-23 08:38:05.000000000 -0400
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -689,7 +689,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +174,36 @@
+@@ -146,6 +174,40 @@
########################################
## <summary>
@@ -711,14 +711,18 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
++ dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms;
++ dontaudit $1 rpm_t:shm rw_shm_perms;
++
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
++
+ dontaudit $1 rpm_var_run_t:file write_file_perms;
++
+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
-+ dontaudit $1 rpm_t:shm rw_shm_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
-+ dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
+')
+
+########################################
@@ -726,7 +730,7 @@ diff -b -B --ignore-all-space --exclude-
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -167,6 +225,68 @@
+@@ -167,6 +229,68 @@
########################################
## <summary>
@@ -795,7 +799,7 @@ diff -b -B --ignore-all-space --exclude-
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -186,6 +306,24 @@
+@@ -186,6 +310,24 @@
########################################
## <summary>
@@ -820,7 +824,7 @@ diff -b -B --ignore-all-space --exclude-
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
-@@ -219,7 +357,51 @@
+@@ -219,7 +361,51 @@
')
files_search_tmp($1)
@@ -872,7 +876,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -241,6 +423,25 @@
+@@ -241,6 +427,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -898,7 +902,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -265,6 +466,47 @@
+@@ -265,6 +470,47 @@
########################################
## <summary>
@@ -946,7 +950,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
-@@ -283,3 +525,81 @@
+@@ -283,3 +529,81 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1953,8 +1957,8 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-22 14:59:29.000000000 -0400
-@@ -0,0 +1,74 @@
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-23 09:23:30.000000000 -0400
+@@ -0,0 +1,76 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -2020,6 +2024,8 @@ diff -b -B --ignore-all-space --exclude-
+ domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
+ corecmd_bin_domtrans($1_execmem_t, $1_t)
+
++ files_execmod_tmp($1_execmem_t)
++
+ optional_policy(`
+ chrome_role($2, $1_execmem_t)
+ ')
@@ -2596,7 +2602,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-10-07 16:35:17.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-10-23 09:22:39.000000000 -0400
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -2605,7 +2611,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -71,24 +72,129 @@
+@@ -71,24 +72,131 @@
########################################
## <summary>
@@ -2733,6 +2739,8 @@ diff -b -B --ignore-all-space --exclude-
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
+ corecmd_bin_domtrans($1_java_t, $1_t)
+
++ files_execmod_all_files($1_java_t)
++
+ optional_policy(`
+ xserver_common_app($1_java_t)
+ xserver_role($1_r, $1_java_t)
@@ -2740,7 +2748,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.32/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/java.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/java.te 2009-10-23 08:58:46.000000000 -0400
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2750,7 +2758,17 @@ diff -b -B --ignore-all-space --exclude-
type java_tmp_t;
files_tmp_file(java_tmp_t)
ubac_constrained(java_tmp_t)
-@@ -80,6 +82,7 @@
+@@ -32,9 +34,6 @@
+ typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
+ typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+
+-type unconfined_java_t;
+-init_system_domain(unconfined_java_t, java_exec_t)
+-
+ ########################################
+ #
+ # Local policy
+@@ -80,6 +79,7 @@
dev_write_sound(java_t)
dev_read_urand(java_t)
dev_read_rand(java_t)
@@ -2758,7 +2776,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(java_t)
files_read_usr_files(java_t)
-@@ -131,6 +134,7 @@
+@@ -131,20 +131,9 @@
')
optional_policy(`
@@ -2766,25 +2784,20 @@ diff -b -B --ignore-all-space --exclude-
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
-@@ -143,8 +147,18 @@
- # execheap is needed for itanium/BEA jrocket
- allow unconfined_java_t self:process { execstack execmem execheap };
+-########################################
+-#
+-# Unconfined java local policy
+-#
+-
+-optional_policy(`
+- # execheap is needed for itanium/BEA jrocket
+- allow unconfined_java_t self:process { execstack execmem execheap };
-+ files_execmod_all_files(unconfined_java_t)
-+
- init_dbus_chat_script(unconfined_java_t)
+- init_dbus_chat_script(unconfined_java_t)
- unconfined_domain_noaudit(unconfined_java_t)
- unconfined_dbus_chat(unconfined_java_t)
-+ optional_policy(`
-+ hal_dbus_chat(unconfined_java_t)
-+')
-+
-+ optional_policy(`
-+ rpm_domtrans(unconfined_java_t)
- ')
-+')
-+
+- unconfined_domain_noaudit(unconfined_java_t)
+- unconfined_dbus_chat(unconfined_java_t)
+-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc 2009-09-30 16:12:48.000000000 -0400
@@ -6561,7 +6574,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-10-13 11:03:54.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-10-23 09:23:13.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -6679,7 +6692,40 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3449,6 +3516,24 @@
+@@ -3320,6 +3387,32 @@
+
+ ########################################
+ ## <summary>
++## Allow shared library text relocations in tmp files.
++## </summary>
++## <desc>
++## <p>
++## Allow shared library text relocations in tmp files.
++## </p>
++## <p>
++## This is added to support java policy.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_execmod_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file execmod;
++')
++
++########################################
++## <summary>
+ ## Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -3449,6 +3542,24 @@
########################################
## <summary>
@@ -6704,7 +6750,7 @@ diff -b -B --ignore-all-space --exclude-
## Read all tmp files.
## </summary>
## <param name="domain">
-@@ -3515,6 +3600,8 @@
+@@ -3515,6 +3626,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -6713,7 +6759,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3623,7 +3710,12 @@
+@@ -3623,7 +3736,12 @@
type usr_t;
')
@@ -6727,7 +6773,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3662,6 +3754,7 @@
+@@ -3662,6 +3780,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
@@ -6735,7 +6781,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -4188,6 +4281,24 @@
+@@ -4188,6 +4307,24 @@
########################################
## <summary>
@@ -6760,7 +6806,7 @@ diff -b -B --ignore-all-space --exclude-
## Search the /var/lib directory.
## </summary>
## <param name="domain">
-@@ -4955,7 +5066,7 @@
+@@ -4955,7 +5092,7 @@
selinux_compute_member($1)
# Need sys_admin capability for mounting
@@ -6769,7 +6815,7 @@ diff -b -B --ignore-all-space --exclude-
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4977,12 +5088,15 @@
+@@ -4977,12 +5114,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -6786,7 +6832,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -5003,3 +5117,173 @@
+@@ -5003,3 +5143,173 @@
typeattribute $1 files_unconfined_type;
')
@@ -8804,8 +8850,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-22 14:38:40.000000000 -0400
-@@ -0,0 +1,411 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-23 08:59:33.000000000 -0400
+@@ -0,0 +1,425 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -9027,7 +9073,21 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
-+ java_run_unconfined(unconfined_t, unconfined_r)
++ java_role_template(unconfined, unconfined_r, unconfined_t)
++
++ files_execmod_all_files(unconfined_java_t)
++
++ init_dbus_chat_script(unconfined_java_t)
++
++ unconfined_domain_noaudit(unconfined_java_t)
++ unconfined_dbus_chat(unconfined_java_t)
++ optional_policy(`
++ hal_dbus_chat(unconfined_java_t)
++ ')
++
++ optional_policy(`
++ rpm_domtrans(unconfined_java_t)
++ ')
+')
+
+optional_policy(`
@@ -9623,7 +9683,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.32/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-10-21 07:51:25.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-10-23 09:31:29.000000000 -0400
@@ -0,0 +1,106 @@
+## <summary>SELinux policy for Aisexec Cluster Engine</summary>
+
@@ -9861,7 +9921,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-10-01 08:26:33.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-10-23 08:20:45.000000000 -0400
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -9925,7 +9985,7 @@ diff -b -B --ignore-all-space --exclude-
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +75,30 @@
+@@ -64,11 +75,33 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -9950,6 +10010,8 @@ diff -b -B --ignore-all-space --exclude-
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -9957,6 +10019,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-10-21 11:09:04.000000000 -0400
@@ -14795,21 +14858,73 @@ diff -b -B --ignore-all-space --exclude-
/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.32/policy/modules/services/lircd.if
+--- nsaserefpolicy/policy/modules/services/lircd.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/lircd.if 2009-10-23 09:32:21.000000000 -0400
+@@ -32,12 +32,11 @@
+ #
+ interface(`lircd_stream_connect',`
+ gen_require(`
+- type lircd_sock_t, lircd_t;
++ type lircd_var_run_t, lircd_t;
+ ')
+
+- allow $1 lircd_t:unix_stream_socket connectto;
+- allow $1 lircd_sock_t:sock_file write_sock_file_perms;
+ files_search_pids($1)
++ stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t)
+ ')
+
+ #######################################
+@@ -77,7 +76,7 @@
+ #
+ interface(`lircd_admin',`
+ gen_require(`
+- type lircd_t, lircd_var_run_t, lircd_sock_t;
++ type lircd_t, lircd_var_run_t;
+ type lircd_initrc_exec_t, lircd_etc_t;
+ ')
+
+@@ -94,6 +93,4 @@
+
+ files_search_pids($1)
+ admin_pattern($1, lircd_var_run_t)
+-
+- admin_pattern($1, lircd_sock_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-10-19 09:14:01.000000000 -0400
-@@ -37,12 +37,24 @@
- # pid file
++++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-10-23 09:34:30.000000000 -0400
+@@ -16,13 +16,9 @@
+ type lircd_etc_t;
+ files_type(lircd_etc_t)
+
+-type lircd_var_run_t;
++type lircd_var_run_t alias lircd_sock_t;
+ files_pid_file(lircd_var_run_t)
+
+-# type for lircd /dev/ sock file
+-type lircd_sock_t;
+-files_type(lircd_sock_t)
+-
+ ########################################
+ #
+ # lircd local policy
+@@ -34,15 +30,24 @@
+ # etc file
+ read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+-# pid file
manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
# /dev/lircd socket
- manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
- dev_filetrans(lircd_t, lircd_sock_t, sock_file )
+-manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
+-dev_filetrans(lircd_t, lircd_sock_t, sock_file )
++dev_filetrans(lircd_t, lircd_var_run_t, sock_file )
+dev_read_generic_usb_dev(lircd_t)
-+
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
@@ -15094,20 +15209,23 @@ diff -b -B --ignore-all-space --exclude-
mysql_write_log(mysqld_safe_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-09-30 16:12:48.000000000 -0400
-@@ -1,16 +1,21 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-10-23 08:00:38.000000000 -0400
+@@ -1,16 +1,22 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
- /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
- /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
++/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++#/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:nagios_plugin_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
@@ -15224,7 +15342,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-10-23 09:18:37.000000000 -0400
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
@@ -15252,7 +15370,17 @@ diff -b -B --ignore-all-space --exclude-
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
-@@ -60,6 +62,8 @@
+@@ -33,6 +35,9 @@
+ type nrpe_etc_t;
+ files_config_file(nrpe_etc_t)
+
++type nrpe_var_run_t;
++files_pid_file(nrpe_var_run_t)
++
+ ########################################
+ #
+ # Nagios local policy
+@@ -60,6 +65,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
@@ -15261,7 +15389,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
-@@ -127,39 +131,34 @@
+@@ -127,52 +134,57 @@
#
# Nagios CGI local policy
#
@@ -15271,46 +15399,46 @@ diff -b -B --ignore-all-space --exclude-
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-+allow httpd_nagios_script_t self:process signal_perms;
-
+-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++allow httpd_nagios_script_t self:process signal_perms;
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-+files_search_spool(httpd_nagios_script_t)
-+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
++files_search_spool(httpd_nagios_script_t)
++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+
+-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
--kernel_read_system_state(nagios_cgi_t)
+-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
--corecmd_exec_bin(nagios_cgi_t)
-+kernel_read_system_state(httpd_nagios_script_t)
-
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
-+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
++kernel_read_system_state(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
-+files_read_etc_runtime_files(httpd_nagios_script_t)
-+files_read_kernel_symbol_table(httpd_nagios_script_t)
++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
--
++files_read_etc_runtime_files(httpd_nagios_script_t)
++files_read_kernel_symbol_table(httpd_nagios_script_t)
+
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
@@ -15320,6 +15448,39 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
+ # Nagios remote plugin executor local policy
+ #
+
++allow nrpe_t self:capability {setuid setgid};
+ dontaudit nrpe_t self:capability sys_tty_config;
+ allow nrpe_t self:process { setpgid signal_perms };
+ allow nrpe_t self:fifo_file rw_fifo_file_perms;
++allow nrpe_t self:tcp_socket create_stream_socket_perms;
+
+-allow nrpe_t nrpe_etc_t:file read_file_perms;
++read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
+ files_search_etc(nrpe_t)
+
++manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
++files_pid_filetrans(nrpe_t,nrpe_var_run_t,file)
++files_read_etc_files(nrpe_t)
++
++corenet_tcp_bind_generic_node(nrpe_t)
++corenet_tcp_bind_inetd_child_port(nrpe_t)
++corenet_sendrecv_unlabeled_packets(nrpe_t)
++
+ kernel_read_system_state(nrpe_t)
+ kernel_read_kernel_sysctls(nrpe_t)
+
+@@ -192,6 +204,8 @@
+
+ miscfiles_read_localization(nrpe_t)
+
++sysnet_read_config(nrpe_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2009-09-30 16:12:48.000000000 -0400
@@ -20486,7 +20647,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-10-22 15:56:48.000000000 -0400
@@ -16,8 +16,8 @@
')
@@ -20498,7 +20659,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -36,6 +36,102 @@
+@@ -36,6 +36,123 @@
type setroubleshootd_t, setroubleshoot_var_run_t;
')
@@ -20530,6 +20691,27 @@ diff -b -B --ignore-all-space --exclude-
+
+########################################
+## <summary>
++## dontaudit send and receive messages from
++## setroubleshoot over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`setroubleshoot_dontaudit_dbus_chat',`
++ gen_require(`
++ type setroubleshootd_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 setroubleshootd_t:dbus send_msg;
++ dontaudit setroubleshootd_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+## Send and receive messages from
+## setroubleshoot over dbus.
+## </summary>
@@ -22043,6 +22225,219 @@ diff -b -B --ignore-all-space --exclude-
-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc
+--- nsaserefpolicy/policy/modules/services/tuned.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2009-10-23 09:38:54.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
++
++/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
++
++/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.if serefpolicy-3.6.32/policy/modules/services/tuned.if
+--- nsaserefpolicy/policy/modules/services/tuned.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/tuned.if 2009-10-23 09:38:54.000000000 -0400
+@@ -0,0 +1,136 @@
++
++## <summary>policy for tuned - dynamic adaptive system tuning daemon</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run tuned.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tuned_domtrans',`
++ gen_require(`
++ type tuned_t, tuned_exec_t;
++ ')
++
++ domtrans_pattern($1,tuned_exec_t,tuned_t)
++')
++
++#######################################
++## <summary>
++## Execute tuned in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tuned_exec',`
++ gen_require(`
++ type tuned_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, tuned_exec_t)
++')
++
++######################################
++## <summary>
++## Read tuned PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tuned_read_pid_files',`
++ gen_require(`
++ type tuned_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
++')
++
++#######################################
++## <summary>
++## Manage tuned PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tuned_manage_pid_files',`
++ gen_require(`
++ type tuned_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute tuned server in the tuned domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`tuned_initrc_domtrans',`
++ gen_require(`
++ type tuned_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1,tuned_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an tuned environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`tuned_admin',`
++ gen_require(`
++ type tuned_t, tuned_var_run_t;
++ ')
++
++ allow $1 tuned_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, tuned_t, tuned_t)
++
++
++ gen_require(`
++ type tuned_initrc_exec_t;
++ ')
++
++ tuned_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 tuned_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_pids($1)
++ admin_pattern($1, tuned_var_run_t)
++
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
+--- nsaserefpolicy/policy/modules/services/tuned.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-10-23 09:38:54.000000000 -0400
+@@ -0,0 +1,59 @@
++
++policy_module(tuned,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type tuned_t;
++type tuned_exec_t;
++init_daemon_domain(tuned_t, tuned_exec_t)
++
++type tuned_initrc_exec_t;
++init_script_file(tuned_initrc_exec_t)
++
++type tuned_var_run_t;
++files_pid_file(tuned_var_run_t)
++
++permissive tuned_t;
++
++########################################
++#
++# tuned local policy
++#
++
++dontaudit tuned_t self:capability { dac_override };
++
++manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
++files_pid_filetrans(tuned_t, tuned_var_run_t, { file })
++
++corecmd_exec_shell(tuned_t)
++
++kernel_read_system_state(tuned_t)
++kernel_read_network_state(tuned_t)
++
++dev_read_sysfs(tuned_t)
++
++# to allow cpu tuning
++dev_rw_netcontrol(tuned_t)
++
++files_read_etc_files(tuned_t)
++files_read_usr_files(tuned_t)
++
++files_dontaudit_search_home(tuned_t)
++
++userdom_dontaudit_search_user_home_dirs(tuned_t)
++
++miscfiles_read_localization(tuned_t)
++
++# to allow disk tuning
++optional_policy(`
++ fstools_domtrans(tuned_t)
++')
++
++# to allow network interface tuning
++optional_policy(`
++ sysnet_domtrans_ifconfig(tuned_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.32/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/uucp.te 2009-09-30 16:12:48.000000000 -0400
@@ -29825,7 +30220,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-22 13:55:01.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-23 09:13:02.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30195,7 +30590,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="userdomain_prefix">
## <summary>
-@@ -420,35 +414,54 @@
+@@ -420,35 +414,58 @@
## is the prefix for user_t).
## </summary>
## </param>
@@ -30251,6 +30646,10 @@ diff -b -B --ignore-all-space --exclude-
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
+ optional_policy(`
++ setroubleshoot_dontaudit_dbus_chat($1)
++ ')
++
++ optional_policy(`
+ xserver_user_client($1, user_tmpfs_t)
+ xserver_xsession_entry_type($1)
+ xserver_dontaudit_write_log($1)
@@ -30269,7 +30668,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -498,7 +511,7 @@
+@@ -498,7 +515,7 @@
attribute unpriv_userdomain;
')
@@ -30278,7 +30677,7 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -508,182 +521,213 @@
+@@ -508,182 +525,213 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -30299,27 +30698,27 @@ diff -b -B --ignore-all-space --exclude-
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -30395,37 +30794,37 @@ diff -b -B --ignore-all-space --exclude-
+
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ # Allow graphical boot to check battery lifespan
-+ apm_stream_connect($1_usertype)
')
- tunable_policy(`user_ttyfile_stat',`
- term_getattr_all_user_ttys($1_t)
+ optional_policy(`
-+ canna_stream_connect($1_usertype)
++ # Allow graphical boot to check battery lifespan
++ apm_stream_connect($1_usertype)
')
optional_policy(`
- alsa_read_rw_config($1_t)
-+ chrome_role($1_r, $1_usertype)
++ canna_stream_connect($1_usertype)
')
optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
++ chrome_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+- canna_stream_connect($1_t)
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- canna_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
')
@@ -30491,21 +30890,21 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
-+ nsplugin_role($1_r, $1_usertype)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
')
optional_policy(`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
++ nsplugin_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_usertype)
')
@@ -30565,18 +30964,20 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -711,13 +755,26 @@
+@@ -711,13 +759,26 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -30587,9 +30988,7 @@ diff -b -B --ignore-all-space --exclude-
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -30597,7 +30996,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_change_password_template($1)
-@@ -735,70 +792,72 @@
+@@ -735,70 +796,72 @@
allow $1_t self:context contains;
@@ -30703,7 +31102,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -826,6 +885,8 @@
+@@ -826,6 +889,8 @@
')
userdom_login_user_template($1)
@@ -30712,7 +31111,7 @@ diff -b -B --ignore-all-space --exclude-
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
-@@ -836,6 +897,25 @@
+@@ -836,6 +901,25 @@
#
optional_policy(`
@@ -30738,7 +31137,7 @@ diff -b -B --ignore-all-space --exclude-
loadkeys_run($1_t,$1_r)
')
')
-@@ -865,51 +945,93 @@
+@@ -865,51 +949,93 @@
userdom_restricted_user_template($1)
@@ -30755,12 +31154,12 @@ diff -b -B --ignore-all-space --exclude-
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
++
++ xserver_role($1_r, $1_t)
++ xserver_communicate($1_usertype, $1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
-+ xserver_role($1_r, $1_t)
-+ xserver_communicate($1_usertype, $1_usertype)
-+
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -30795,12 +31194,12 @@ diff -b -B --ignore-all-space --exclude-
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
-+
+
+- xserver_restricted_role($1_r, $1_t)
+ optional_policy(`
+ apache_role($1_r, $1_usertype)
+ ')
-
-- xserver_restricted_role($1_r, $1_t)
++
+ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
@@ -30845,7 +31244,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -943,8 +1065,8 @@
+@@ -943,8 +1069,8 @@
# Declarations
#
@@ -30855,7 +31254,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_common_user_template($1)
##############################
-@@ -953,58 +1075,67 @@
+@@ -953,58 +1079,67 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -30889,10 +31288,14 @@ diff -b -B --ignore-all-space --exclude-
- storage_raw_read_removable_device($1_t)
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
- ')
++ ')
+
+ optional_policy(`
+ cron_role($1_r, $1_t)
+ ')
++
++ optional_policy(`
++ games_rw_data($1_usertype)
')
- tunable_policy(`user_dmesg',`
@@ -30900,7 +31303,7 @@ diff -b -B --ignore-all-space --exclude-
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
+ optional_policy(`
-+ games_rw_data($1_usertype)
++ gpg_role($1_r, $1_usertype)
')
- # Allow users to run TCP servers (bind to ports and accept connection from
@@ -30910,32 +31313,28 @@ diff -b -B --ignore-all-space --exclude-
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ optional_policy(`
-+ gpg_role($1_r, $1_usertype)
++ gpm_stream_connect($1_usertype)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r)
- netutils_run_traceroute_cond($1_t,$1_r)
-+ gpm_stream_connect($1_usertype)
++ execmem_role_template($1, $1_r, $1_t)
')
optional_policy(`
- postgresql_role($1_r,$1_t)
-+ execmem_role_template($1, $1_r, $1_t)
++ java_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ java_role_template($1, $1_r, $1_t)
++ mono_role_template($1, $1_r, $1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
-+ mono_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ mount_run($1_t, $1_r)
+ ')
+
@@ -30953,7 +31352,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1040,7 +1171,7 @@
+@@ -1040,7 +1175,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -30962,7 +31361,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -1049,8 +1180,7 @@
+@@ -1049,8 +1184,7 @@
#
# Inherit rules for ordinary users.
@@ -30972,7 +31371,7 @@ diff -b -B --ignore-all-space --exclude-
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1205,9 @@
+@@ -1075,6 +1209,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -30982,7 +31381,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1222,7 @@
+@@ -1089,6 +1226,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -30990,7 +31389,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1230,6 @@
+@@ -1096,8 +1234,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -30999,7 +31398,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,12 +1256,11 @@
+@@ -1124,12 +1260,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -31014,7 +31413,7 @@ diff -b -B --ignore-all-space --exclude-
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
-@@ -1152,20 +1283,6 @@
+@@ -1152,20 +1287,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -31035,7 +31434,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1328,7 @@
+@@ -1211,6 +1332,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -31043,7 +31442,7 @@ diff -b -B --ignore-all-space --exclude-
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1394,15 @@
+@@ -1276,11 +1398,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -31059,7 +31458,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1391,12 +1513,13 @@
+@@ -1391,12 +1517,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -31074,7 +31473,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1429,6 +1552,14 @@
+@@ -1429,6 +1556,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -31089,7 +31488,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1444,9 +1575,11 @@
+@@ -1444,9 +1579,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -31101,7 +31500,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1503,6 +1636,42 @@
+@@ -1503,6 +1640,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -31144,7 +31543,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1746,8 @@
+@@ -1577,6 +1750,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -31153,7 +31552,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1619,6 +1790,24 @@
+@@ -1619,6 +1794,24 @@
########################################
## <summary>
@@ -31178,7 +31577,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1670,6 +1859,7 @@
+@@ -1670,6 +1863,7 @@
type user_home_dir_t, user_home_t;
')
@@ -31186,7 +31585,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1987,32 @@
+@@ -1797,19 +1991,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -31226,7 +31625,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1844,6 +2047,7 @@
+@@ -1844,6 +2051,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -31234,7 +31633,7 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,7 +2595,7 @@
+@@ -2391,7 +2599,7 @@
########################################
## <summary>
@@ -31243,7 +31642,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2399,19 +2603,20 @@
+@@ -2399,19 +2607,20 @@
## </summary>
## </param>
#
@@ -31267,7 +31666,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2419,38 +2624,17 @@
+@@ -2419,33 +2628,12 @@
## </summary>
## </param>
#
@@ -31282,11 +31681,10 @@ diff -b -B --ignore-all-space --exclude-
- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
-+ allow $1 user_tty_device_t:chr_file getattr;
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Get the attributes of a user domain tty.
-## </summary>
-## <param name="domain">
@@ -31301,16 +31699,11 @@ diff -b -B --ignore-all-space --exclude-
- ')
-
- allow $1 user_tty_device_t:chr_file getattr;
--')
--
--########################################
--## <summary>
--## Do not audit attempts to get the attributes of a user domain tty.
-+## Do not audit attempts to get the attributes of a user domain tty.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2749,7 +2933,7 @@
++ allow $1 user_tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -2749,7 +2937,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -31319,7 +31712,7 @@ diff -b -B --ignore-all-space --exclude-
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +2949,32 @@
+@@ -2765,11 +2953,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -31354,7 +31747,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,7 +3102,25 @@
+@@ -2897,7 +3106,25 @@
type user_tmp_t;
')
@@ -31381,7 +31774,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2934,6 +3157,7 @@
+@@ -2934,6 +3161,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -31389,7 +31782,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3288,578 @@
+@@ -3064,3 +3292,578 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.949
retrieving revision 1.950
diff -u -p -r1.949 -r1.950
--- selinux-policy.spec 22 Oct 2009 19:59:10 -0000 1.949
+++ selinux-policy.spec 23 Oct 2009 14:40:39 -0000 1.950
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 32%{?dist}
+Release: 33%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,9 @@ exit 0
%endif
%changelog
+* Fri Oct 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-33
+- Allow firefox to transition to java
+
* Thu Oct 22 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-32
- Allow unconfined_execmem_t to transition to sandbox
- Allow postfix_cleanup to read etc_alias
More information about the scm-commits
mailing list